How to block access to URLs vulnerable to SECURITY-2349/CVE-2021-21648

Issue

On May 11th, 2021, CloudBees announced a security advisory which included the Jenkins security issue SECURITY-2349/CVE-2021-21648. As a mitigation to the security issue, I want to block access to a known vulnerable URL pattern on my controller(s) and Operations Center.

Environment

CloudBees CI (CloudBees Core) on modern cloud platforms - Managed controller
CloudBees CI (CloudBees Core) on modern cloud platforms - Operations Center
CloudBees CI (CloudBees Core) on traditional platforms - Client controller
CloudBees CI (CloudBees Core) on traditional platforms - Operations Center
CloudBees Jenkins Enterprise - Managed controller
CloudBees Jenkins Enterprise - Operations center

Resolution

Block access to Vulnerable URLs with the CloudBees Request Filter Plugin

To mitigate the Jenkins security issue SECURITY-2349/CVE-2021-21648, you can use the CloudBees Request Filter plugin to block access to a URL pattern that is known to be vulnerable, this process does not require an upgrade or a restart.

We recommend all clients perform the steps in this article as soon as possible, so you are protected from the vulnerability, then once you have done these steps, you can plan and test an upgrade to the versions with the fix by reaching out for an Assisted Upgrade. Once you have upgraded to the versions with the fix, you can remove the Request Filtering pattern that was created.

Installing and Configuring on an Operations Center

Install the CloudBees Request Filter Plugin

Download the CloudBees Request Filter plugin for your version of Operations Center and save locally.

Operations Center version Plugin version

2.235.2.3 or newer

1.7

2.107.1.2 to 2.235.2.3 (not included)

1.5

2.73.1.2 to 2.107.1.2 (not included)

1.3

before 2.73.1.2

1.2
Go to Manage Jenkins -> Manage Plugins.
Choose Advanced. Under Upload Plugin, click Choose File and select the saved plugin file (cloudbees-request-filter.hpi). Click Upload.

Operations Center version	Plugin version
2.235.2.3 or newer	1.7
2.107.1.2 to 2.235.2.3 (not included)	1.5
2.73.1.2 to 2.107.1.2 (not included)	1.3
before 2.73.1.2	1.2

Configure the Request Filter Plugin

Go to Manage Jenkins -> Configure System.
Scroll down to Request Filtering, and then select the Add rule button.
In URI pattern, enter the following regex pattern: .[/\\]upload[/\\].("|%22).[/\\](upload|complete).

Check Custom response.

Under Response Code, enter 403.
Leave Content Type as text/html.

Under Content, enter the following:

<h1>Forbidden call</h1>
For more information, please visit the <a href="https://cloudbees.com/r/block-url-pattern">following page</a>
or <a href="https://support.cloudbees.com">contact CloudBees support</a> mentioning SECURITY-2349.

Select Save.

Installing and Configuring on a Standalone Controller

Install the CloudBees Request Filter Plugin

Go to Manage Jenkins -> Manage Plugins.
Choose Available. Search for CloudBees Request Filter Plugin.
Select Install without restart.

Configure the Request Filter Plugin

Go to Manage Jenkins -> Configure System.
Scroll down to Request Filtering, and then select the Add rule button.
In URI pattern, enter the following regex pattern: .[/\\]upload[/\\].("|%22).[/\\](upload|complete).

Check Custom response.

Under Response Code, enter 403.
Leave Content Type as text/html.

Under Content, enter the following:

<h1>Forbidden call</h1>
For more information, please visit the <a href="https://cloudbees.com/r/block-url-pattern">following page</a>
or <a href="https://support.cloudbees.com">contact CloudBees support</a> mentioning SECURITY-2349.

Select Save.

Installing and Configuring on Controllers in an Operations Center cluster

In any clustered environment with an Operations Center and Controllers connected to it, you will need to apply the mitigation to the CloudBees Operations Center (see Installing and Configuring on an Operations Center), as well as to the Controllers that are managed by the Operations Center as explained below:

To install and configure the CloudBees Request Filter plugin on multiple controllers managed by a CloudBees Operations Center, you can use a Cluster Operation.

Note: Controllers must be Running and Connected for the Cluster Operation to be successful and correctly apply the workaround.

To create and configure a cluster operation:

On your operations center, click New Item and choose Cluster Operations, and choose a name of your choice (such as Apply SECURITY-2349 to all online controllers).
Optionally, you can configure this with Build Triggers -> Build periodically to run this cluster operation periodically, as it is safe to run multiple times on the same controllers (it is idempotent).
In Target Managed controllers, add the controllers upon which you want to set up the request filter (such as From Operations Center Root).
Under Filters, click Add Filter and choose Client Controller / Managed Controller Is Online.

Add the following steps:

An Install plugin step with the plugin ID set to cloudbees-request-filter and no version (leave the Version field blank). Using no version instructs the system to use the most recent plugin available for the given controller.

An Execute Groovy Script on Controller step using the following script.

 import com.cloudbees.jenkins.plugins.requestfilter.*

 String mitigationPattern = '.*[/\\\\]upload[/\\\\].*("|%22).*[/\\\\](upload|complete).*'
 int responseCode = 403
 String responseContent =
 '''
 <h1>Forbidden call</h1>
 For more information, please visit the <a href="https://cloudbees.com/r/block-url-pattern">following page</a>
 or <a href="https://support.cloudbees.com">contact CloudBees support</a> mentioning SECURITY-2349.
 '''
 String responseContentType = 'text/html'

 // Let's preserve existing configuration, if any.
 // Also, this code is idempotent so we can run it multiple times without worrying we'd add X times the same config
 List<Rule> existingRules = new ArrayList(Rules.get().getRules()) // reinstantiation needed bc emptyList() is immutable

 if( existingRules.collect { rule -> rule.pattern }
                  .findAll { rulePattern -> mitigationPattern.equals(rulePattern) }
                  .isEmpty() )
 {
   println "mitigation pattern not found, adding it"
   Rule mitigationRule = new Rule(mitigationPattern)
   mitigationRule.setResponse(new Response(responseCode,responseContentType,responseContent))
   existingRules.add(mitigationRule)
   Rules.get().setRules(existingRules)
 } else {
   println 'mitigation pattern found, no-op'
 }

Select Save and Run.

Upgrade the Credentials Plugin to a version with the fix

Another workaround is to upgrade the Credentials plugin to a version with the fix. The fix has been backported to several release lines of the plugin.

Download the Credentials plugin for your version of Core.

CloudBees CI version	Plugin version
2.277.4.3 or newer	2.3.19
2.277.x to 2.277.4.3 (not included)	2.3.15.1
2.263.x to 2.277.x (not included)	2.3.14.1
2.235.x to 2.263.x (not included)	2.3.13.1
2.222.4.x to 2.235.x (not included)	2.3.7.1
2.176.2.3 to 2.222.4.x (not included)	2.3.0.1
before 2.176.2.3	Use the workaround with the CloudBees Request Filter plugin

Go to Manage Jenkins -> Manage Plugins.
Choose Advanced. Under Upload Plugin, click Choose File and select the saved plugin file (credentials.hpi). Click Upload.
Go to Manage Jenkins -> Beekeeper Upgrade Assistant -> CAP Configuration and ensure that Allow automatic downgrades of plugins on restart is disabled (ensure it is not checked). This will avoid the Credentials Plugin from being downgraded when restarting.
Restart Jenkins (https://JENKINS_URL/restart)

Note: When upgrading CloudBees CI, the Credentials Plugin might be upgraded to a greater version without the fix - for example if running CloudBees CI 2.222.4.3 with Credentials Plugin 2.3.7.1 and then upgrading to CloudBees CI 2.235.1.2, the Credentials plugin will be automatically upgraded to 2.3.11 that does not have the fix. This workaround is mainly suitable when planning to upgrade to the latest in a near future.